Network security management for ambiguous user names

ABSTRACT

A method of managing network security can include receiving a user input comprising a user name and a password, determining whether the input user name potentially corresponds to a plurality of user accounts, determining whether the password is valid, and determining whether each of the user accounts is locked. The method can include selecting a security response to the user input based upon whether the input user name potentially corresponds to the plurality of user accounts, whether the password is valid, whether each of the user accounts is locked, and outputting the security response.

FIELD OF THE INVENTION

The embodiments of the present invention relate to network securitymanagement, and more particularly, to implementing a network securitysystem with account lockout when using ambiguous user names.

BACKGROUND OF THE INVENTION

Passwords and user identification names (user names) are commonly usedin network security systems intended to determine the authenticity of auser accessing a secure account, system, application, device, or thelike. These network security systems are often vulnerable to assailantscircumventing the system via repeated guesses of the account password ofa user. This approach has prompted the use of lockout schemes which lockthe user out of an account following a predetermined number of incorrectlogin attempts. In such a scheme, each incorrect login attempt mayresult in a strike being applied to the account and application of apredetermined number of strikes can result in the account being lockedfrom access. For example, the network security system may allow the userto enter an incorrect password three times, after which any furtherfailed attempts will result in the account access being locked. Uponlocking access to the account a correct user name and password will nolonger grant access to the account, at least until such time as it isreset by a system manager.

In certain network security systems, an input user name need not be anexact match with a user name within a user account directory to gainaccount access. This approach allows the user name to be ambiguous,meaning the input user name contains some quantity of letters, numbersand/or symbols in common with at least two user names in the userdirectory, but need not be an exact match with either user name. Forexample, the user may input the user name Robert, which matches the usernames Robert Davis, Robert Smith, and Robert Harris. As the exampleshows, the use of an ambiguous user name can result in multiple usernames that match a particular input user name. As a result of thesemultiple matches, implementation of a lockout scheme can take on greatercomplexity.

BRIEF SUMMARY OF THE INVENTION

The embodiments disclosed herein relate to network security managementfor ambiguous user names. One embodiment of the present invention caninclude a method of managing network security. The method can includereceiving a user input comprising a user name and a password,determining whether the input user name potentially corresponds to aplurality of user accounts, determining whether the password is valid,and determining whether each of the user accounts is locked. The methodfurther can include, selecting a security response to the user inputbased upon whether the input user name potentially corresponds to theplurality of user accounts, whether the password is valid, whether eachof the user accounts is locked, and outputting the security response.

Another embodiment of the present invention can include a system fornetwork security management. The system can include a server thatreceives a user input comprising a user name and a password, determineswhether the input user name potentially corresponds to a plurality ofuser accounts, determines whether the password is valid, and determineswhether each of the user accounts is locked. The server further canselect a security response to the user input based upon whether theinput user name potentially corresponds to the plurality of useraccounts, whether the password is valid, whether each of the useraccounts is locked, and output the security response.

Yet another embodiment of the present invention can include a computerprogram product including a computer-usable medium havingcomputer-usable program code that, when executed, causes a machine toperform the various steps and/or functions described herein.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a system for managing networksecurity in accordance with one embodiment of the present invention.

FIG. 2 is a flow chart illustrating a method of managing networksecurity in accordance with another embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

As will be appreciated by one skilled in the art, the present inventionmay be embodied as a method, system, or computer program product.Accordingly, the present invention may take the form of an entirelyhardware embodiment, an entirely software embodiment, includingfirmware, resident software, micro-code, etc., or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module,” or “system.”

Furthermore, the invention may take the form of a computer programproduct accessible from a computer-usable or computer-readable mediumproviding program code for use by, or in connection with, a computer orany instruction execution system. For the purposes of this description,a computer-usable or computer-readable medium can be any apparatus thatcan contain, store, communicate, propagate, or transport the program foruse by, or in connection with, the instruction execution system,apparatus, or device.

Any suitable computer-usable or computer-readable medium may beutilized. For example, the medium can include, but is not limited to, anelectronic, magnetic, optical, electromagnetic, infrared, orsemiconductor system (or apparatus or device), or a propagation medium.A non-exhaustive list of exemplary computer-readable media can includean electrical connection having one or more wires, an optical fiber,magnetic storage devices such as magnetic tape, a removable computerdiskette, a portable computer diskette, a hard disk, a rigid magneticdisk, a magneto-optical disk, an optical storage medium, such as anoptical disk including a compact disk-read only memory (CD-ROM), acompact disk-read/write (CD-R/W), or a DVD, or a semiconductor or solidstate memory including, but not limited to, a random access memory(RAM), a read-only memory (ROM), or an erasable programmable read-onlymemory (EPROM or Flash memory).

A computer-usable or computer-readable medium further can include atransmission media such as those supporting the Internet or an intranet.Further, the computer-usable medium may include a propagated data signalwith the computer-usable program code embodied therewith, either inbaseband or as part of a carrier wave. The computer-usable program codemay be transmitted using any appropriate medium, including but notlimited to the Internet, wireline, optical fiber, cable, RF, etc.

In another aspect, the computer-usable or computer-readable medium canbe paper or another suitable medium upon which the program is printed,as the program can be electronically captured, via, for instance,optical scanning of the paper or other medium, then compiled,interpreted, or otherwise processed in a suitable manner, if necessary,and then stored in a computer memory.

Computer program code for carrying out operations of the presentinvention may be written in an object oriented programming language suchas Java, Smalltalk, C++ or the like. However, the computer program codefor carrying out operations of the present invention may also be writtenin conventional procedural programming languages, such as the “C”programming language or similar programming languages. The program codemay execute entirely on the user's computer, partly on the user'scomputer, as a stand-alone software package, partly on the user'scomputer and partly on a remote computer, or entirely on the remotecomputer or server. In the latter scenario, the remote computer may beconnected to the user's computer through a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual execution of the program code, bulkstorage, and cache memories which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during execution.

Input/output or I/O devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers. Network adapters mayalso be coupled to the system to enable the data processing system tobecome coupled to other data processing systems or remote printers orstorage devices through intervening private or public networks. Modems,cable modems, and Ethernet cards are just a few of the currentlyavailable types of network adapters.

The present invention is described below with reference to flowchartillustrations and/or block diagrams of methods, apparatus (systems) andcomputer program products according to embodiments of the invention. Itwill be understood that each block of the flowchart illustrations and/orblock diagrams, and combinations of blocks in the flowchartillustrations and/or block diagrams, can be implemented by computerprogram instructions. These computer program instructions may beprovided to a processor of a general purpose computer, special purposecomputer, or other programmable data processing apparatus to produce amachine, such that the instructions, which execute via the processor ofthe computer or other programmable data processing apparatus, createmeans for implementing the functions/acts specified in the flowchartand/or block diagram block or blocks.

These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide steps for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

In accordance with the embodiments below a user can input a user nameand a password to a user interface in an effort to access a user accounton a network. Using a series of security guidelines, a network securityresponse to the user input can be determined based upon whether theinput user name corresponds to a plurality of user accounts, thevalidity of the password, and whether the user account to which the userrequests access is locked. The guidelines can allow the implementationof a network security system that can support an account lockoutfeature. The inclusion of the account lockout feature to the networksecurity system decreases the vulnerability of the network to outsideintruders seeking to gain unauthorized access to the network. Thuslockout schemes increase the overall security of the network.

FIG. 1 is a block diagram illustrating a system 100 for managing networksecurity in accordance with one embodiment of the present invention. Thesystem 100 can include a user interface 105, a communications network110, a server 115, a networks resource 120, account security data 125,and an account security application 130.

The user interface 105 can be any client based computing device capableof receiving inputs from a user and communicating such inputs to thecommunications network 110. The user interface 105 can also facilitateuser interactions with the network resource 120. The user interface 105can be implemented as, but is not limited to, a personal computer, aworkstation, a wired or wireless handheld device, a touch screen device,a telephone, an entertainment or broadcast media device, an audio inputtransducer (e.g. microphone), an information kiosk, or any other devicecapable of providing the user access to a secured account or a networkresource. For example, the user interface 105 can be a cellulartelephone through which the user accesses an email account, a touchscreen on an automatic teller machine for accesses a checking account,or an office computer through which an employee accesses a companyintra-net site. Through the user interface 105, the user can input auser name and a password intended to access the secure account or thenetwork resource via the communications network 110

The communications network 110, which may comprise a wide area network(WAN), such as the Internet, the World Wide Web, a dispatchcommunications network, an interconnect communications network (e.g. acellular communications network), a public switched telephone network(PSTN), and the like. The communications network 110 also may comprise alocal area network (LAN), a metropolitan area network (MAN), a WiFinetwork, a Mesh network, a public safety network (e.g. Astro, TETRA,HPD, etc) and/or any other networks or systems over which communicationsignals can be propagated. In that regard, the communications network110 can include wired and/or wireless communication links. Further, thecommunications network 110 can be implemented in accordance with anysuitable communications standards, protocols, and/or architectures, or asuitable combination of such standards, protocols, and/or architectures.Accordingly, the communications network 110 can facilitate communicationby transferring a user name and password 135 and network resource data140 between the user interface 105 and the server 115.

The server 115 can be any system or device that can perform serverfunctions within the network architecture. For example, the server 115can run server operating systems and server applications, as well asprovide database access, file access, and remote access (e.g. via thecommunications network 110). The server 115 also can host generalutility applications via the network connection 110. In addition, theserver 115 can receive messages from the communications network 110 andprocess such messages. For example, the server 115 can initiate eventsin response to such messages, forward such messages to other nodes ofthe network, or perform any other suitable communication functions forthe network. As such, the server 115 can comprise one or moreprocessors/controllers, data storage devices, user interfaces,communication adapters, and/or other suitable components, such as thosepreviously described.

The network resource 120 can comprise any number of databases, generalapplications, websites, communications or entertainment portals (e.g.the internet or intranet), electronic or voice mail, wired or wirelessaccess ways (e.g. cellular phone service), or any other resourcerequiring user authentication. For example, a long distance service on acompany phone system which requires the user name and the password togain access, a secure personnel data base within the company, or apersonal checking account on a banking website all may be referred to as“network resources.”

The account security data 125 can include account security informationnecessary for determining user authentication to the network resource120. The account security data 125 can include account user names,account passwords, a number of invalid account login attempts, and anaccess state of the account (e.g. locked or unlocked). The accountsecurity data can be employed by the account security application 130 todetermine security responses.

The account security application 130 can process input securityinformation (e.g. the user names and the passwords) received from theuser interface 105 via the server 115 and determine an appropriatesecurity response. The account security application 130 can apply aseries of security guidelines based upon whether the input user namecorresponds to a plurality of user accounts, the password is valid, andthe user accounts corresponding to the input user name are locked. Theaccount security application 130 can then output a security response tothe network and update the account security data 125. For example,account security application 130 can receive the input user name fromthe server 115 and determine the input user name matches four user namesfound within the account security data 125. The accounts of the fouruser names may include two locked user accounts and two unlocked useraccounts. The password may be determined to be valid for only one of thefour matching user names. The account security application 130 then candetermine that the correct security response to the user input is toallow access to the one user account for which the password is valid anddeny access to all other user accounts. Once access is allowed, theaccount security application 130 may grant the user access to the useraccount or the network resource 120 via the server 115.

FIG. 2 is a flow chart illustrating a method 200 of managing networksecurity in accordance with another embodiment of the present invention.The method 200 can be implemented using the system described withreference to FIG. 1 or another system with the same or similarfunctionality. The method 200 can use a series of guidelines todetermine a security response upon receiving a user input of a user nameand a password. These guidelines are based upon whether the user name isambiguous, the password is valid, and the user is currently locked fromaccessing a user account. As used herein, the phrase “ambiguous username” means an input user name that corresponds to each user nameassociated with a plurality of user accounts. Each of the correspondinguser names will share some common grouping of letters, numbers, orsymbols with the input user name. For example, the input user name“John” may be ambiguous and match the user names John Smith, John Davis,and John Mills, all of which can be considered matching user names tothe ambiguous user name “John.” The term “matching user account”, asused herein, means a plurality of user accounts associated with the usernames that correspond to the input user name, or following the earlierexample, the user accounts of John Smith, John Davis, and John Millswould be considered matching user accounts to the input user name John.

Also, the term “strike,” as used herein, means a recording of anincorrect login attempt to the user account. For example, the user mayinput the valid unambiguous user name “John Doe” and the invalidpassword “airport,” resulting in the incorrect login attempt. As aresult of the incorrect login attempt, a strike may be added to the useraccount of John Doe. As described earlier, the accumulation of apredetermined number of strikes can lead to the user account beinglocked.

Beginning at step 205, the input user name and the password can bereceived. The user input can be communicated via a user interface.Referring to decision box 210, when the password is determined to beinvalid, the method 200 can proceed to decision box 215. When thepassword is determined to be valid, the method 200 may proceed todecision box 220. At decision box 215, when the user name is determinedto be unambiguous, the method 200 can proceed to decision box 225. Atdecision box 225, when the user account is unlocked, the method 200 canproceed to step 235 and the user may be denied access to the useraccount associated with the unambiguous user name, as well as at leastone strike added to the user account. For example, when the user name“John Doe” and the password “airport” are input to the user interface,John Doe may be determined to be a unique user name, and thereforeunambiguous. The password airport may be determined to be valid for theuser account of John Doe, however it also may be determined that theuser account of John Doe is unlocked. In this case, the user can bedenied access to the user account of John Doe and at least one strikemay be added to the user account.

Returning to decision box 225, when the user account is locked, themethod 200 can proceed to step 240 and the user may be denied access tothe user account associated with the unambiguous user name. For example,when the user name “John Doe” and the password “airport” are input tothe user interface, John Doe may be determined to be a unique user name,and therefore unambiguous. Further, the password airport may bedetermined to be invalid for the user name John Doe. It also may bedetermined that the user account John Doe is locked. In this case, theuser can be denied access to the user account of John Doe.

Returning to decision box 215, when the user name is ambiguous, themethod 200 can proceed to decision box 230. At decision box 230, whenall of the matching user accounts are locked, the method 200 can proceedto step 240 and the user may be denied access to the matching useraccount. For example, when the input user name is “John” and thepassword is “airport”, it may be determined that the user names JohnMint, John Doe, and Johnny, are a match to the input user name John. Thepassword airport may be determined to be invalid for all of the matchinguser accounts. It also may be determined that all of the user accountsof John Mint, John Doe, and Johnny are locked. Therefore, access may bedenied to the user accounts of John Mint, John Doe, and Johnny

Returning to decision box 230, when none or some of the matching useraccount are locked, the method 200 can proceed to step 245. At step 245,access can be denied to the matching user accounts and at least onestrike can be added to the unlocked matching user accounts. Using theearlier example, when the input user name is “John” and the password is“airport”, it may be determined that the user names John Mint, John Doe,and Johnny are a match to the input user name John. Further, thepassword airport may be determined to be invalid for all of the matchinguser accounts. It also can be determined that all matching user accountsare unlocked or that some matching user accounts are unlocked. In thecase of all of the user accounts being unlocked and the case of some ofthe user accounts being unlocked, user access can be denied to the useraccounts of John Mint, John Doe, and Johnny When all of the matchinguser accounts are unlocked then at least one strike may be added to eachof the user accounts of John Mint, John Doe, and Johnny When only someof the user accounts are unlocked, for example only the user account ofJohn Doe is unlocked, then the user account of John Doe can have atleast one strike added and the locked user accounts of John Mint andJohnny can be left unchanged.

Returning to decision box 210, when the password is determined to bevalid, the method 200 can proceed to decision box 220. At decision box220, when the user name is determined to be unambiguous, the method 200can proceed to decision box 250. When the user name is ambiguous, themethod 200 may proceed to decision box 260. At decision box 250, whenthe user account is locked, the method 200 can proceed to step 240 andthe user may be denied access to the user account. As an example, whenthe user name “John Doe” and the password “airport” are input to theuser interface, John Doe may be determined to be a unique user name, andtherefore unambiguous. The password airport may be determined to bevalid for the user account of John Doe, however it also may bedetermined that the user account of John Doe is locked. In this case,the user may be denied access to the user account of John Doe.

Returning to decision box 250, when the user account is unlocked, themethod 200 can proceed to step 255 and user access can be allowed to theuser account. For example, when the user name “John Doe” and thepassword “airport” are input to the user interface, John Doe may bedetermined to be a unique user name, and therefore unambiguous. Thepassword airport may be determined to be valid for the user account JohnDoe. It also may be determined that the user account of John Doe isunlocked. In this case, the user can be allowed access to the useraccount of John Doe.

Returning to decision box 260, when all of the matching user accountsare locked, the method 200 can proceed to step 240 and deny access tothe matching user accounts. In this example, when the input user name is“John” and the password is “airport”, it may be determined that all ofthe user names John Mint, John Doe, and Johnny are a match to the inputuser name “John”. Further, the password airport may be determined to bevalid for at least one of the matching user accounts. It also may bedetermined that the matching user accounts of John Mint, John Doe, andJohnny are locked. In this case, the user may be denied access to theuser accounts of John Mint, John Doe, and Johnny

Returning to decision box 260, when none of the matching user accountsare locked, the method 200 proceeds to decision box 265. At decision box265, when the password is valid for only one of the matching useraccounts, the method 200 can proceed to step 255 and may allow the useraccess to the user account for which the password is valid. For example,when the input user name is “John” and the password is “airport”, it maybe determined that the user names John Mint, John Doe, and Johnny, are amatch to the input user name John. The password airport may bedetermined to be valid only for the user account of John Doe. It alsomay be determined that none of the user accounts of John Mint, John Doe,and Johnny are locked. In this case, the user can be allowed access tothe user account of John Doe.

Returning to decision box 265, when the password is valid not only forone of the matching user accounts, the method 200 can proceed to step245 and may deny the user access to the matching user accounts, as wellas add at least one strike to the unlocked matching user accounts. Itshould be noted that since there are matching user name and passwordcombinations for this case, the addition of strikes to the user accountscan be optional. For example, when the input user name is “John” and thepassword is “airport”, it may be determined that the user names JohnMint, John Doe, and Johnny, are a match to the input user name John. Thepassword airport may be determined to be valid not only for one of thematching user account, however it also may be determined that thematching user accounts of John Mint, John Doe and Johnny are locked. Inthis case, the user can be denied access to the user accounts of JohnMint, John Doe and Johnny, and at least one strike added to each useraccount.

Returning to decision box 260, when some of the matching user accountsare locked, the method 200 proceeds to decision box 270. At decision box270, when it is determined the password is valid not only for onematching user account, the method can proceed to step 245 and denyaccess to the matching user accounts, as well as add at least one striketo the unlocked matching user accounts. It should be noted that sincethere are matching user name and password combinations for this case,the addition of strikes to the user accounts can be optional. In thisexample, when the input user name is “John” and the password is“airport”, it may be determined that the user names John Mint, John Doe,and Johnny, are a match to the input user name “John”. The password“airport” may be determined to be valid not only for one matching useraccount, though it also may be determined that at least one of thematching user accounts is locked (e.g. John Doe) and at least one of thematching user accounts is unlocked (e.g. John Mint and Johnny) In thiscase, the user can be denied access to the user accounts of John Mint,John Doe, and Johnny and at least one strike added to each of the useraccounts of John Mint, and Johnny.

Returning decision box 270, when password is valid for only one matchinguser account the method 200 can proceed to decision box 275. At decisionbox 275, when the user account for which the password is valid islocked, the method 200 can proceed to step 245 and can deny access tothe matching user accounts, as well as add at least one strike to theunlocked matching user accounts. In this example, when the input username is “John” and the password is “airport”, the user names John Mint,John Doe, and Johnny can be determined to match the input user nameJohn. Further the password airport may be determined to be valid foronly one matching user account and that the user account is locked (e.g.John Doe). It also may be determined that at least one of the matchinguser accounts is locked (e.g. John Doe) and at least one of the matchinguser accounts is unlocked (e.g. John Mint and Johnny) In this case, theuser can be denied access to the user accounts of John Mint, John Doe,and Johnny, and at least one strike added to the user accounts of JohnMint and Johnny

At decision box 275, when the user account for which the password isvalid is unlocked, the method 200 can proceed to step 255 and may allowaccess to the user account with the valid password. In this example,when the input user name is “John” and the password is “airport”, it maybe determined that the user names John Mint, John Doe, and Johnny are amatch to the input user name John. Further, the password airport may bedetermined to be valid for only one matching user account and that theuser account is unlocked (e.g. John Mint). It also may be determinedthat at least one of the matching user accounts is locked (e.g. JohnDoe) and at least one of the matching user accounts is unlocked (e.g.John Mint and Johnny) In this case, the user can be allowed access tothe user account of John Mint.

Mention should be made that steps 235-245 and step 255, each representthe security response of the method 200 to each of the securityconditions (i.e. user inputs and user account histories) covered inFIG.2. Further, an output of these security responses can be inferredwithin steps 235-245 and step 255. For example, the method 200 can denyaccess to the user and output this access denial to the server, oroutput to an account directory when adding at least one strike to theuser account.

As used herein, “output” or “outputting” can include, but is not limitedto, writing to a file, writing to a user display or other output device,playing audible notifications, sending or transmitting to anothersystem, exporting, or the like.

The flowchart(s) and block diagram(s) in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart(s) or block diagram(s) may represent a module, segment, orportion of code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblocks may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagram(s) and/or flowchartillustration(s), and combinations of blocks in the block diagram(s)and/or flowchart illustration(s), can be implemented by special purposehardware-based systems that perform the specified functions or acts, orcombinations of special purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the present invention has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Theembodiments were chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

Having thus described the invention of the present application in detailand by reference to the embodiments thereof, it will be apparent thatmodifications and variations are possible without departing from thescope of the invention defined in the appended claims.

1. A computer-implemented method of managing network securitycomprising: receiving a user input from a user comprising a user nameand a password; determining whether the input user name potentiallycorresponds to a plurality of user accounts; determining whether thepassword is valid; determining whether each of the user accounts islocked; selecting a security response to the user input based uponwhether the input user name potentially corresponds to the plurality ofuser accounts, whether the password is valid, and whether each of theuser accounts is locked; and outputting the security response.
 2. Thecomputer-implemented method of claim 1, wherein selecting the securityresponse to the user input further comprises: denying access to the userto a first of the user accounts in response to determining that theinput user name corresponds to a user name associated with the firstuser account, determining that the password is invalid, and determiningthat the first user account is locked.
 3. The computer-implementedmethod of claim 1, wherein selecting the security response to the userinput further comprises: denying access to the user to a first of theuser accounts and adding at least one strike to the first user accountin response to determining that the input user name corresponds to auser name associated with the first user account, determining that thepassword is invalid, and determining that the first user account isunlocked.
 4. The computer-implemented method of claim 1, whereinselecting the security response to the user input further comprises:denying access to the user to the plurality of user accounts in responseto determining that the input user name corresponds to a user nameassociated with each of the user accounts, determining that the passwordis invalid, and determining that each of the user accounts is locked. 5.The computer-implemented method of claim 1, wherein selecting thesecurity response to the user input further comprises: denying access tothe user to the plurality of user accounts and adding at least onestrike to each of the user accounts in response to determining that theinput user name corresponds to a user name associated with each of theuser accounts, determining that the password is invalid, and determiningthat each of the user accounts is unlocked.
 6. The computer-implementedmethod of claim 1, wherein selecting the security response to the userinput further comprises: denying access to the user to the plurality ofuser accounts and adding at least one strike to each of the plurality ofuser accounts that is unlocked in response to determining that the inputuser name corresponds to a user name associated with each of the useraccounts, determining that the password is invalid, and determining thatat least the first user account is unlocked, and at least a second ofthe plurality of user accounts is locked.
 7. The computer-implementedmethod of claim 1, wherein selecting the security response to the userinput further comprises: denying access to the user to a first of theuser accounts in response to determining that the input user namecorresponds to a user name associated with the first user account,determining that the password is valid, and determining that the firstuser account is locked.
 8. The computer-implemented method of claim 1,wherein selecting the security response to the user input furthercomprises: allowing access to the user to a first of the user accountsin response to determining that the input user name corresponds to auser name associated with the first user account, determining that thepassword is valid, and determining that the first user account isunlocked.
 9. The computer-implemented method of claim 1, whereinselecting the security response to the user input further comprises:denying access to the user to the plurality of user accounts in responseto determining that the input user name corresponds to a user nameassociated with each of the user accounts, determining that the passwordis valid, and determining that each of the user accounts is locked. 10.The computer-implemented method of claim 1, wherein selecting thesecurity response to the user input further comprises: allowing accessto the user to a first of the user accounts for which the password isvalid in response to determining that the input user name corresponds toa user name associated with each of the user accounts, determining thatthe password is valid only for the first user account, and determiningthat each of the user accounts is unlocked.
 11. The computer-implementedmethod of claim 1, wherein selecting the security response to the userinput further comprises: denying access to the user to the plurality ofuser accounts and adding at least one strike to each of the useraccounts in response to determining that the input user name correspondsto the a user name associated with each of the user accounts,determining that the password is valid not only for a first of theplurality of user accounts, and determining that each of the useraccounts is unlocked.
 12. The computer-implemented method of claim 1,wherein selecting the security response to the user input furthercomprises: denying access to the user to the plurality of user accountsin response to determining that the input user name corresponds to the auser name associated with each of the user accounts, determining thatthe password is valid not only for a first of the plurality of useraccounts, and determining that each of the user accounts is unlocked.13. The computer-implemented method of claim 1, wherein selecting thesecurity response to the user input further comprises: denying access tothe user to the plurality of user accounts and adding at least onestrike to each of the user accounts in response to determining that theinput user name corresponds to a user name associated with each of theuser accounts, determining that the password is valid not only for afirst of a plurality of user accounts, and determining that at least thefirst user account is locked and at least a second of the plurality ofuser accounts is unlocked.
 14. The computer-implemented method of claim1, wherein selecting the security response to the user input furthercomprises: denying access to the user to the plurality of user accountsin response to determining that the input user name corresponds to auser name associated with each of the user accounts, determining thatthe password is valid not only for a first of a plurality of useraccounts, and determining that at least the first user account is lockedand at least a second of the plurality of user accounts is unlocked. 15.The computer-implemented method of claim 1, wherein selecting thesecurity response to the user input further comprises: denying access tothe user to the plurality of user accounts and adding at least onestrike to each of the plurality of user accounts that is unlocked inresponse to determining that the input user name corresponds to a username associated with each of the user accounts, determining that thepassword is valid only for a first user account, and determining that atleast the first user account is locked and at least a second of theplurality of user accounts is unlocked.
 16. The computer-implementedmethod of claim 1, wherein selecting the security response to the userinput further comprises: allowing access to the user to a first of theuser accounts in response to determining that the input user namecorresponds to a user name associated with each of the user accounts,determining that the password is valid only for the first user account,and determining that at least the first user account is unlocked and atleast a second of the plurality of user accounts is locked.
 17. Anetwork security management system comprising: a server comprising atleast one processor and at least one memory element, the server operableto: receive a user input from a user comprising a user name and apassword; determine whether the input user name potentially correspondsto a plurality of user accounts; determine whether the password isvalid; determine whether each of the user accounts is locked; via theprocessor, select a security response to the user input based uponwhether the input user name potentially corresponds to the plurality ofuser accounts, whether the password is valid, and whether each of theuser accounts is locked; and output the security response.
 18. Acomputer program product comprising: a computer-usable storage devicehaving stored thereon computer-usable program code that, when executedby a system comprising a processor and a memory, manages networksecurity, the computer-usable storage device comprising: computer-usableprogram code that receives a user input from a user comprising a username and a password; computer-usable program code that determineswhether the input user name potentially corresponds to a plurality ofuser accounts; computer-usable program code that determines whether thepassword is valid; computer-usable program code that determines whethereach of the user accounts is locked; computer-usable program code thatselects a security response to the user input based upon whether theinput user name potentially corresponds to the plurality of useraccounts, whether the password is valid, and whether each of the useraccounts is locked; and computer-usable program code that outputs thesecurity response.
 19. The computer program product of claim 18, whereinthe computer-usable program code that selects the security response tothe user input further comprises: computer-usable program code thatdenies access to the user to a first of the user accounts in response todetermining that the input user name corresponds to a user nameassociated with the first user account, determining that the password isinvalid, and determining that the first user account is locked.
 20. Thecomputer program product of claim 18, wherein the computer-usableprogram code that selects the security response to the user inputfurther comprises: computer-usable program code that denies access tothe user to a first of the user accounts and adds at least one strike tothe first user account in response to determining that the input username corresponds to a user name associated with the first user account,determining that the password is invalid, and determining that the firstuser account is unlocked.